Analysis
-
max time kernel
151s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 00:45
Static task
static1
Behavioral task
behavioral1
Sample
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
Resource
win7-20220812-en
General
-
Target
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe
-
Size
1.0MB
-
MD5
788b37226d3f0a126a24396a0d4c90e4
-
SHA1
e6cf3e41c10e7dbbf9aba2a9c661124b794c0068
-
SHA256
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7
-
SHA512
4eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5
-
SSDEEP
24576:9BxT7o15hf9CMU07DKiWMNT8e7EloFmGzHaI49CpV:9LTslUMF7DsCEljGv4wL
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
natsv.exednsmon.exenatsv.exepid process 1700 natsv.exe 1068 dnsmon.exe 1736 natsv.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exenatsv.execmd.exepid process 1772 cmd.exe 1700 natsv.exe 1444 cmd.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 whatismyipaddress.com 5 whatismyipaddress.com 6 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exednsmon.exeRegAsm.exedescription pid process target process PID 1884 set thread context of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1068 set thread context of 1280 1068 dnsmon.exe RegAsm.exe PID 1644 set thread context of 956 1644 RegAsm.exe vbc.exe PID 1644 set thread context of 1016 1644 RegAsm.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exenatsv.exednsmon.exenatsv.exepid process 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1700 natsv.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe 1068 dnsmon.exe 1068 dnsmon.exe 1068 dnsmon.exe 1068 dnsmon.exe 1068 dnsmon.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe 1068 dnsmon.exe 1736 natsv.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exenatsv.exednsmon.exeRegAsm.exenatsv.exevbc.exevbc.exedescription pid process Token: SeDebugPrivilege 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe Token: SeDebugPrivilege 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe Token: SeDebugPrivilege 1700 natsv.exe Token: SeDebugPrivilege 1068 dnsmon.exe Token: SeDebugPrivilege 1068 dnsmon.exe Token: SeDebugPrivilege 1644 RegAsm.exe Token: SeDebugPrivilege 1736 natsv.exe Token: SeDebugPrivilege 956 vbc.exe Token: SeDebugPrivilege 1016 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1644 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.execmd.exenatsv.exednsmon.execmd.exenatsv.exeRegAsm.exedescription pid process target process PID 1884 wrote to memory of 956 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 1884 wrote to memory of 956 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 1884 wrote to memory of 956 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 1884 wrote to memory of 956 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1644 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe RegAsm.exe PID 1884 wrote to memory of 1772 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 1884 wrote to memory of 1772 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 1884 wrote to memory of 1772 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 1884 wrote to memory of 1772 1884 bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe cmd.exe PID 1772 wrote to memory of 1700 1772 cmd.exe natsv.exe PID 1772 wrote to memory of 1700 1772 cmd.exe natsv.exe PID 1772 wrote to memory of 1700 1772 cmd.exe natsv.exe PID 1772 wrote to memory of 1700 1772 cmd.exe natsv.exe PID 1700 wrote to memory of 1688 1700 natsv.exe cmd.exe PID 1700 wrote to memory of 1688 1700 natsv.exe cmd.exe PID 1700 wrote to memory of 1688 1700 natsv.exe cmd.exe PID 1700 wrote to memory of 1688 1700 natsv.exe cmd.exe PID 1700 wrote to memory of 1068 1700 natsv.exe dnsmon.exe PID 1700 wrote to memory of 1068 1700 natsv.exe dnsmon.exe PID 1700 wrote to memory of 1068 1700 natsv.exe dnsmon.exe PID 1700 wrote to memory of 1068 1700 natsv.exe dnsmon.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1280 1068 dnsmon.exe RegAsm.exe PID 1068 wrote to memory of 1444 1068 dnsmon.exe cmd.exe PID 1068 wrote to memory of 1444 1068 dnsmon.exe cmd.exe PID 1068 wrote to memory of 1444 1068 dnsmon.exe cmd.exe PID 1068 wrote to memory of 1444 1068 dnsmon.exe cmd.exe PID 1444 wrote to memory of 1736 1444 cmd.exe natsv.exe PID 1444 wrote to memory of 1736 1444 cmd.exe natsv.exe PID 1444 wrote to memory of 1736 1444 cmd.exe natsv.exe PID 1444 wrote to memory of 1736 1444 cmd.exe natsv.exe PID 1736 wrote to memory of 364 1736 natsv.exe cmd.exe PID 1736 wrote to memory of 364 1736 natsv.exe cmd.exe PID 1736 wrote to memory of 364 1736 natsv.exe cmd.exe PID 1736 wrote to memory of 364 1736 natsv.exe cmd.exe PID 1644 wrote to memory of 956 1644 RegAsm.exe vbc.exe PID 1644 wrote to memory of 956 1644 RegAsm.exe vbc.exe PID 1644 wrote to memory of 956 1644 RegAsm.exe vbc.exe PID 1644 wrote to memory of 956 1644 RegAsm.exe vbc.exe PID 1644 wrote to memory of 956 1644 RegAsm.exe vbc.exe PID 1644 wrote to memory of 956 1644 RegAsm.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe"C:\Users\Admin\AppData\Local\Temp\bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f7⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "cmd /c C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exe" /f8⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
321B
MD5e62221a3bb549a72fcc4afa60d34e620
SHA1d60b16b540e0e3ed459a30cce0678d1fc8a1989a
SHA256587f8f51485b575f30e5e1608f70b31b9d8bb384318802373cc52cbdf2a4aa95
SHA5125b6f6a3a88961b62870e486b02e41d065b3f054f3ad45f7c7e01aff3ba151893e36fd3c13771ed9e3738aaa525296a8ee72adc05fb32932ec3af259404172aed
-
C:\Users\Admin\AppData\Local\Temp\holdermail.txtFilesize
321B
MD5c3609e29395ccd5fd8407fed36414e75
SHA104c0c5dc3fcced0c5581c44af17fa60260fb591a
SHA256a32df1c247d5738af4241edc4aa520dbb21013d05d47cac5db96ccfb48de7857
SHA5128bbd7b458f2be6e91c46cad8f682e109c7a7317f9ae89e5ce889ae7d4db5775b83d03016f47b56aa75bd5646a50c06ae7adbf2fc8af6b9f8a976f2ce30de3533
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exeFilesize
1.0MB
MD5788b37226d3f0a126a24396a0d4c90e4
SHA1e6cf3e41c10e7dbbf9aba2a9c661124b794c0068
SHA256bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7
SHA5124eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exeFilesize
1.0MB
MD5788b37226d3f0a126a24396a0d4c90e4
SHA1e6cf3e41c10e7dbbf9aba2a9c661124b794c0068
SHA256bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7
SHA5124eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
C:\Users\Admin\AppData\Roaming\pid.txtFilesize
4B
MD589f03f7d02720160f1b04cf5b27f5ccb
SHA1cbf641003962d3b22ea5aeb9164c4cff46a13515
SHA256f7d9615965e2b49c6bde79dedfdecc39afade6e543922d5d023fda9d13430c44
SHA512b86aa582e4cbffc73c377a673ee2364627f267fe71a97a95b1cfcbb2c79373da88190563f456a178d9d734daeeb5f1e12df41d61ce6c4b50cbcd03f506cb0642
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cchFilesize
514B
MD57d0f29a8d29738edf7270a5e7f1fbf6b
SHA11dec7f3f2ec534f6ef7d0cce550660bfa56a0edd
SHA256662facad877e2ec240eda39dc73ac1ac91d64365265783d141d7ed55ba734fcb
SHA5124f766f334e041177aa12448055109f67d47f67e55a505f562d82a299b74230dde19a26470415f21c944fde1a92166b7dc3a718924e44d095dd77c3e8a73e21a0
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\dnsmon.exeFilesize
1.0MB
MD5788b37226d3f0a126a24396a0d4c90e4
SHA1e6cf3e41c10e7dbbf9aba2a9c661124b794c0068
SHA256bcf7d54e905d4fbe92edfb185bf73f3c849aa383cc1a0e25b67c9c4292a141a7
SHA5124eef2460a5c21c1b7452dfeb5dfeb1a96fb2e48e69d01d0d8697b24884581d77f63eb7e2cd5ff743bbd6abef8ccd7adef20eda199c5dbb91448973f490dbfad5
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\natsv.exeFilesize
24KB
MD517f51ab722963d73b5dcd050d06e6d40
SHA170a1eb538fe961512c74dda727ef185c8eb42884
SHA256e1b1dc86ebe7440828efab389cb9edcfd639463a8ff64742818a84859a7ff417
SHA512041794fb9817e578e3aa00f019ce295b82dc6ee5dd23b49e79785570d3f60c058f6292b1382ff3b0e9999774cb60bc5a76919b4fd79d2bba85ea594d9719ac0d
-
memory/364-109-0x0000000000000000-mapping.dmp
-
memory/956-122-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/956-118-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/956-111-0x0000000000442FBF-mapping.dmp
-
memory/956-110-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/956-115-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/956-56-0x0000000000000000-mapping.dmp
-
memory/1016-123-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1016-124-0x0000000000442C62-mapping.dmp
-
memory/1016-127-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1016-129-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1068-120-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1068-81-0x0000000000000000-mapping.dmp
-
memory/1068-84-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1280-93-0x00000000004E1E9E-mapping.dmp
-
memory/1280-107-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1280-130-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1280-119-0x00000000002A6000-0x00000000002B7000-memory.dmpFilesize
68KB
-
memory/1444-97-0x0000000000000000-mapping.dmp
-
memory/1644-68-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1644-58-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1644-77-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1644-132-0x0000000000166000-0x0000000000177000-memory.dmpFilesize
68KB
-
memory/1644-57-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1644-60-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1644-61-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1644-62-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1644-63-0x00000000004E1E9E-mapping.dmp
-
memory/1644-86-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1644-65-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1644-117-0x0000000000166000-0x0000000000177000-memory.dmpFilesize
68KB
-
memory/1688-75-0x0000000000000000-mapping.dmp
-
memory/1700-76-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1700-72-0x0000000000000000-mapping.dmp
-
memory/1700-85-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1736-103-0x0000000000000000-mapping.dmp
-
memory/1736-108-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1736-131-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1748-116-0x0000000000000000-mapping.dmp
-
memory/1772-67-0x0000000000000000-mapping.dmp
-
memory/1884-112-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1884-78-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1884-55-0x0000000074740000-0x0000000074CEB000-memory.dmpFilesize
5.7MB
-
memory/1884-54-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB